From 828a5f801b0fff40d50a3f2a75ee5b80f166894b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 7 Mar 2023 09:15:25 +0100
Subject: [PATCH] Check FIPS status during sign/verify_md

Resolves: rhbz#2176145
---
 ...crypt-1.10.0-fips-status-sign-verify.patch | 46 +++++++++++++++++++
 libgcrypt.spec                                |  3 ++
 2 files changed, 49 insertions(+)
 create mode 100644 libgcrypt-1.10.0-fips-status-sign-verify.patch

diff --git a/libgcrypt-1.10.0-fips-status-sign-verify.patch b/libgcrypt-1.10.0-fips-status-sign-verify.patch
new file mode 100644
index 0000000..9cf20c3
--- /dev/null
+++ b/libgcrypt-1.10.0-fips-status-sign-verify.patch
@@ -0,0 +1,46 @@
+From 654d0dfa04993ebe28c0536d42f4bc6d87c28369 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 1 Mar 2023 17:14:00 +0100
+Subject: [PATCH] visibility: Check FIPS operational status for MD+Sign
+ operation.
+
+* src/visibility.c (gcry_pk_hash_sign): Check fips status before
+calling the operation itself.
+(gcry_pk_hash_verify): Ditto.
+
+--
+
+GnuPG-bug-id: 6396
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/visibility.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/visibility.c b/src/visibility.c
+index 73db3dea..1f17e147 100644
+--- a/src/visibility.c
++++ b/src/visibility.c
+@@ -1050,6 +1050,11 @@ gcry_error_t
+ gcry_pk_hash_sign (gcry_sexp_t *result, const char *data_tmpl, gcry_sexp_t skey,
+                    gcry_md_hd_t hd, gcry_ctx_t ctx)
+ {
++  if (!fips_is_operational ())
++    {
++      *result = NULL;
++      return gpg_error (fips_not_operational ());
++    }
+   return gpg_error (_gcry_pk_sign_md (result, data_tmpl, hd, skey, ctx));
+ }
+ 
+@@ -1065,6 +1070,8 @@ gcry_error_t
+ gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey,
+                      gcry_md_hd_t hd, gcry_ctx_t ctx)
+ {
++  if (!fips_is_operational ())
++    return gpg_error (fips_not_operational ());
+   return gpg_error (_gcry_pk_verify_md (sigval, data_tmpl, hd, pkey, ctx));
+ }
+ 
+-- 
+2.39.2
+
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 06f01c9..048a085 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -56,6 +56,8 @@ Patch17: libgcrypt-1.10.0-fips-indicator-md-hmac.patch
 # https://dev.gnupg.org/T6394
 # https://dev.gnupg.org/T6397
 Patch18: libgcrypt-1.10.0-fips-pct.patch
+# https://dev.gnupg.org/T6396
+Patch19: libgcrypt-1.10.0-fips-status-sign-verify.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -107,6 +109,7 @@ applications using libgcrypt.
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 %build
 # This package has a configure test which uses ASMs, but does not link the